From 945f205796430c367e49d6c15c1619b786ce1e2b Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Tue, 30 Jan 2024 19:46:15 +0100 Subject: [PATCH] Deprecate -L/--tlsenforce and -T/--no-ssl3. --- cmdline.c | 20 +++++++++++--------- cmdline.h | 6 +++--- docs/proxytunnel.1.adoc | 6 ------ ptstream.c | 13 +++---------- 4 files changed, 17 insertions(+), 28 deletions(-) diff --git a/cmdline.c b/cmdline.c index 30ab52d..36aafae 100644 --- a/cmdline.c +++ b/cmdline.c @@ -69,8 +69,8 @@ void cmdline_parser_print_help (void) { " setups)\n" " -B, --buggy-encrypt-proxy Equivalent to -E -W, provided for backwards\n" " compatibility\n" -" -L, --tlsenforce Enforce TLSv1 connection (legacy)\n" -" -T, --no-ssl3 Do not connect using SSLv3 (legacy)\n" +/*" -L, --tlsenforce Enforce TLSv1 connection (legacy)\n" +" -T, --no-ssl3 Do not connect using SSLv3 (legacy)\n"*/ " -z, --no-check-certificate Don't verify server SSL certificate\n" " -C, --cacert=STRING Path to trusted CA certificate or directory\n" #endif @@ -161,7 +161,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar args_info->clientkey_given = 0; args_info->wa_bug_29744_given = 0; args_info->proctitle_given = 0; - args_info->enforcetls1_given = 0; + /* args_info->enforcetls1_given = 0; */ args_info->host_given = 0; args_info->cacert_given = 0; @@ -194,9 +194,9 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar args_info->clientcert_arg = NULL; \ args_info->clientkey_arg = NULL; \ args_info->wa_bug_29744_flag = 0; \ - args_info->no_ssl3_flag = 0; \ + /* args_info->no_ssl3_flag = 0; */\ args_info->proctitle_arg = NULL; \ - args_info->enforcetls1_flag = 0; \ + /* args_info->enforcetls1_flag = 0; */\ args_info->host_arg = NULL; \ args_info->no_check_cert_flag = 0; \ args_info->cacert_arg = NULL; \ @@ -350,9 +350,10 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar break; case 'L': - args_info->enforcetls1_given = 1; + /* args_info->enforcetls1_given = 1; message("Enforcing TLSv1\n"); - args_info->enforcetls1_flag = 1; + args_info->enforcetls1_flag = 1; */ + message ("Option -L/--tlsenforce is deprecated and without effect\n"); break; case 'o': @@ -447,9 +448,10 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar break; case 'T': /* Turn off SSLv3 */ - args_info->no_ssl3_flag = !(args_info->no_ssl3_flag); + /* args_info->no_ssl3_flag = !(args_info->no_ssl3_flag); if( args_info->verbose_flag ) - message("SSLv3 disabled\n"); + message("SSLv3 disabled\n"); */ + message ("Option -T/--no-ssl3 is deprecated and without effect\n"); break; case 'd': /* Destination host to built the tunnel to. */ diff --git a/cmdline.h b/cmdline.h index b0cddd2..18b77e9 100644 --- a/cmdline.h +++ b/cmdline.h @@ -53,9 +53,9 @@ struct gengetopt_args_info { char *clientcert_arg; /* client SSL certificate */ char *clientkey_arg; /* client SSL key */ int wa_bug_29744_flag; /* Use SSL encryption only until CONNECT, if at all (def=off).*/ - int no_ssl3_flag; /* Turn off SSLv3 (default=on) */ + /* int no_ssl3_flag; Turn off SSLv3 (default=on) */ char *proctitle_arg; /* Override process title (default=off). */ - int enforcetls1_flag; /* Override default and enforce TLSv1 */ + /* int enforcetls1_flag; Override default and enforce TLSv1 */ char *host_arg; /* Optional Host Header */ int no_check_cert_flag; /* Turn off server SSL certificate verification (default=on) */ int enforceipv4_flag; /* Enforce IPv4 (default=off). */ @@ -90,7 +90,7 @@ struct gengetopt_args_info { int clientkey_given; /* Whether client SSL key was given */ int wa_bug_29744_given; /* Whether work around was given */ int proctitle_given; /* Whether to override process title */ - int enforcetls1_given; /* Wheter to enforce TLSv1 */ + /* int enforcetls1_given; Wheter to enforce TLSv1 */ int host_given; /* Wheter we override the Host Header */ int cacert_given; /* Whether cacert was given */ }; diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc index 1550011..e04b4ac 100644 --- a/docs/proxytunnel.1.adoc +++ b/docs/proxytunnel.1.adoc @@ -61,12 +61,6 @@ also be used for other proxy-traversing purposes like proxy bouncing. *-B*, *--buggy-encrypt-proxy*:: Equivalent to *-E -W* (Provided for backwards compatibility). -*-L*, *--tlsenforce*:: - Enforce TLSv1 connection (legacy). - -*-T*, *--no-ssl3*:: - Prevent the use of SSLv3 in encrypted connections (default: enabled). - *-z*, *--no-check-certificate*:: Do not verify server SSL certificate when establishing an SSL connection. By default, the server SSL certificate is verified and the target host name diff --git a/ptstream.c b/ptstream.c index 64a4782..8080145 100644 --- a/ptstream.c +++ b/ptstream.c @@ -226,7 +226,6 @@ int check_cert_names(X509 *cert, char *peer_host) { if (check_cert_valid_host((char*)ASN1_STRING_get0_data(gn->d.ia5), peer_host)) { #else if (check_cert_valid_host((char*)ASN1_STRING_data(gn->d.ia5), peer_host)) { - #endif return 1; } @@ -281,21 +280,15 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) { /* Initialise the connection */ SSLeay_add_ssl_algorithms(); - if (args_info.enforcetls1_flag) { #ifdef OPENSSL11 - meth = TLS_client_method(); + meth = TLS_client_method(); #else - meth = TLSv1_client_method(); + meth = SSLv23_client_method(); #endif - } else { - meth = SSLv23_client_method(); - } SSL_load_error_strings(); ctx = SSL_CTX_new (meth); - if (args_info.no_ssl3_flag) { - ssl_options |= SSL_OP_NO_SSLv3; - } + ssl_options |= SSL_OP_NO_SSLv3; SSL_CTX_set_options (ctx, ssl_options); if ( !args_info.no_check_cert_flag ) {